Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities

Bugtraq ID:	22141
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 20 2007 12:00AM
Updated:	Jan 25 2007 04:13PM
Credit:	DoZ is credited with the discovery of these vulnerabilities.
Vulnerable:	Easebay Resources Paypal Subscription Manager 0
Not Vulnerable:

Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities

Easebay Resources Paypal Subscription Manager is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. The vulnerabilities include an SQL-injection issue and a cross-site scripting issue.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, retrieve sensitive information, access or modify data, or exploit latent vulnerability in the underlying database implementation.

Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities

To exploit a cross-site scripting issue:

An attacker can exploit this issue by enticing an unsuspecting user into following a malicious URI.

An example URI has been provided:

http://www.example.com/psm/admin/memberlist.php?keyword=[SQl]&p=a&by=1&sbmt1=++Search++&init_row=0&sort=create_time&sq=desc&status=1

To exploit an SQL-injection issue:

An attacker can exploit this issue via a web client.

An example URI has been provided:

http://www.example.com/psm/admin/edit_member.php?username=Admin=[XSS]

Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities

References:

• Paypal Subscription Manager Web Site (Paypal Subscription Manager)
  
• Paypal Subscription Manager Multiple HTML Injections ([email protected])